Adding domains to and deleting domains from existing certificate

I'm still stuck, trying to get a certificate for a new domain. So I've decided to add it to my existing certificate. So I am going to systematically present my current status, then ask a specific question about adding a domain to my current SSL certificate.

(1) Did a cert dry run and make sure all is well before adding the new domain "pair" (w/ and w/o www). Successful. Listing below.

(2) Proved (I believe) that my DNS settings were correct. I did nslookup womenofaction.club and it resolved to the correct IP. Just for grins, I also did ping womenofaction.club and it pinged away. So I'm setting aside the DNS settings as suspect.

(3) Next, checked domains covered by the current cert:

[ken@alpha ~]$ sudo certbot certificates
[sudo] password for ken:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: enfeedia.com
Serial Number: 423397c545bd0bd96b82d002308664f4842
Key Type: RSA
Domains: enfeedia.com keligo.com llgorman.com packetstacks.com saddlebrookeranch.org sme62.org storiesofpetsbypetsforpets.com www.enfeedia.com www.keligo.com www.llgorman.com www.packetstacks.com www.saddlebrookeranch.org www.sme62.org www.storiesofpetsbypetsforpets.com
Expiry Date: 2022-11-25 13:03:11+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/enfeedia.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/enfeedia.com/privkey.pem


Perfect.

(4) I spent some time with the Linode help community to make sure the VirtualHost stuff is correct. Confirmed. Also pressed the httpd conf file looking for anything that would cause a new vhost blocking all existing ones. I do not see how anything there could have that effect.

The current VirtualHost listings are included here, then the question.


Processing /etc/letsencrypt/renewal/enfeedia.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for enfeedia.com and 13 more domains
Performing the following challenges:
http-01 challenge for enfeedia.com
http-01 challenge for keligo.com
http-01 challenge for llgorman.com
http-01 challenge for packetstacks.com
http-01 challenge for saddlebrookeranch.org
http-01 challenge for sme62.org
http-01 challenge for storiesofpetsbypetsforpets.com
http-01 challenge for www.enfeedia.com
http-01 challenge for www.keligo.com
http-01 challenge for www.llgorman.com
http-01 challenge for www.packetstacks.com
http-01 challenge for www.saddlebrookeranch.org
http-01 challenge for www.sme62.org
http-01 challenge for www.storiesofpetsbypetsforpets.com
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/enfeedia.com/fullchain.pem



Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/enfeedia.com/fullchain.pem (success)


NOW--
Given everything appears to be correct, I entirely removed the VirtualHost block for the new womenofaction.club (put there in my attempt to get a new certificate for it) from the vhost config, and use certbot to add the new domain to the current certificate.

Up to now, I've been trying to create a new certificate for the new domain. I'm changing my mind, as I need that new website to get online and all existing ones not be adversely affected.

Here's the current vhost.conf file:

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName saddlebrookeranch.org
ServerAlias www.saddlebrookeranch.org
DocumentRoot /srv/www/saddlebrookeranch.org/public_html/
ErrorLog /srv/www/saddlebrookeranch.org/logs/error.log
CustomLog /srv/www/saddlebrookeranch.org/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.saddlebrookeranch.org [OR]
RewriteCond %{SERVER_NAME} =saddlebrookeranch.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName enfeedia.com
ServerAlias www.enfeedia.com
DocumentRoot /srv/www/enfeedia.com/public_html/
ErrorLog /srv/www/enfeedia.com/logs/error.log
CustomLog /srv/www/enfeedia.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.enfeedia.com [OR]
RewriteCond %{SERVER_NAME} =enfeedia.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName sme62.org
ServerAlias www.sme62.org
DocumentRoot /srv/www/sme62.org/public_html/
ErrorLog /srv/www/sme62.org/logs/error.log
CustomLog /srv/www/sme62.org/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.sme62.org [OR]
RewriteCond %{SERVER_NAME} =sme62.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName llgorman.com
ServerAlias www.llgorman.com
DocumentRoot /srv/www/llgorman.com/public_html/
ErrorLog /srv/www/llgorman.com/logs/error.log
CustomLog /srv/www/llgorman.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.llgorman.com [OR]
RewriteCond %{SERVER_NAME} =llgorman.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName storiesofpetsbypetsforpets.com
ServerAlias www.storiesofpetsbypetsforpets.com
DocumentRoot /srv/www/storiesofpetsbypetsforpets.com/public_html/
ErrorLog /srv/www/storiesofpetsbypetsforpets.com/logs/error.log
CustomLog /srv/www/storiesofpetsbypetsforpets.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.storiesofpetsbypetsforpets.com [OR]
RewriteCond %{SERVER_NAME} =storiesofpetsbypetsforpets.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName keligo.com
ServerAlias www.keligo.com
DocumentRoot /srv/www/keligo.com/public_html/
ErrorLog /srv/www/keligo.com/logs/error.log
CustomLog /srv/www/keligo.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =keligo.com [OR]
RewriteCond %{SERVER_NAME} =www.keligo.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin fake@me.com
ServerName packetstacks.com
ServerAlias www.packetstacks.com
DocumentRoot /srv/www/packetstacks.com/public_html/
ErrorLog /srv/www/packetstacks.com/logs/error.log
CustomLog /srv/www/packetstacks.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =packetstacks.com [OR]
RewriteCond %{SERVER_NAME} =www.packetstacks.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

-- one moment --

Here's the command that I believe I should execute to get womenofaction.club added and the vhost.config file automatically updated:

sudo certbot --expand -d enfeedia.com,keligo.com,llgorman.com,packetstacks.com,saddlebrookeranch.org,sme62.org,storiesofpetsbypetsforpets.com,www.enfeedia.com,www.keligo.com,www.llgorman.com,www.packetstacks.com,saddlebrookeranch.org,www.sme62.org,www.storiesofpetsbypetsforpets.com,womenofaction.club,www.womenofaction.club

I trust that's exactly correct.

I will back up the full server before executing that command, Other than that,
is there anything that must precede me doing that command? **

After executing the command, Is there anything that must do to finish the task, then restart the server.

I'd ensure there is nothing out of the ordinary with Apache.
Please show the output of:
apachectl -t -D DUMP_VHOSTS

4 Likes

[ken@alpha /]$ apachectl -t -D DUMP_VHOSTS

Passing arguments to httpd using apachectl is no longer supported.

You can only start/stop/restart httpd using this script.

If you want to pass extra arguments to httpd, edit the

/etc/sysconfig/httpd config file.

AH00526: Syntax error on line 10 of /etc/httpd/conf.d/vhost-le-ssl.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/enfeedia.com/cert.pem' does not exist or is empty

GOOD CATCH. There should not be any reference to the vhost-le-ssl.conf. as I understand that's for TLS certificates. I could be totally wrong on that point.

Here's a portion of that file, all port :443, repeats for each of my domains:

[ken@alpha conf.d]$ cat vhost-le-ssl.conf

<VirtualHost *:443>
ServerAdmin fake@me.com
ServerName enfeedia.com
ServerAlias www.enfeedia.com
DocumentRoot /srv/www/enfeedia.com/public_html/
ErrorLog /srv/www/enfeedia.com/logs/error.log
CustomLog /srv/www/enfeedia.com/logs/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/enfeedia.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/enfeedia.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/enfeedia.com/chain.pem

----there's actually a </ VirtualHost> line here doing the cat of the file had to insert that space to make it show:



<VirtualHost *:443>
ServerAdmin fake@me.com
ServerName keligo.com
ServerAlias www.keligo.com
DocumentRoot /srv/www/keligo.com/public_html/
ErrorLog /srv/www/keligo.com/logs/error.log
CustomLog /srv/www/keligo.com/logs/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/enfeedia.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/enfeedia.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/enfeedia.com/chain.pem

etc, etc...

*Will executing the "certbot --expand" command cause the missing files to be created? I suspect the cert.pem, privkey.pem and chain.pem for all my domains do not exist.

Thinking more about this in these early hours today, I think I deleted the <VirtualHost*:44s>... files yesterday or day before, understanding them to be for TLS certs.

FWIW, there is not a < IfModule mod_ssl.c> ... </ ifModule for the domain I'm trying to add (womenodaction..club).

Only as two pieces, both below. Here's the file w/o the commented lines, as it stands right now


[ken@alpha conf.d]$ cat vhost.conf
<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName saddlebrookeranch.org
    ServerAlias www.saddlebrookeranch.org
    DocumentRoot /srv/www/saddlebrookeranch.org/public_html/
    ErrorLog /srv/www/saddlebrookeranch.org/logs/error.log
    CustomLog /srv/www/saddlebrookeranch.org/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.saddlebrookeranch.org [OR]
RewriteCond %{SERVER_NAME} =saddlebrookeranch.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName enfeedia.com
    ServerAlias www.enfeedia.com
    DocumentRoot /srv/www/enfeedia.com/public_html/
    ErrorLog /srv/www/enfeedia.com/logs/error.log
    CustomLog /srv/www/enfeedia.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.enfeedia.com [OR]
RewriteCond %{SERVER_NAME} =enfeedia.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName sme62.org
    ServerAlias www.sme62.org
    DocumentRoot /srv/www/sme62.org/public_html/
    ErrorLog /srv/www/sme62.org/logs/error.log
    CustomLog /srv/www/sme62.org/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.sme62.org [OR]
RewriteCond %{SERVER_NAME} =sme62.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName llgorman.com
    ServerAlias www.llgorman.com
    DocumentRoot /srv/www/llgorman.com/public_html/
    ErrorLog /srv/www/llgorman.com/logs/error.log
    CustomLog /srv/www/llgorman.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.llgorman.com [OR]
RewriteCond %{SERVER_NAME} =llgorman.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
     ServerAdmin fake@me.com
     ServerName storiesofpetsbypetsforpets.com
     ServerAlias www.storiesofpetsbypetsforpets.com
     DocumentRoot /srv/www/storiesofpetsbypetsforpets.com/public_html/
     ErrorLog /srv/www/storiesofpetsbypetsforpets.com/logs/error.log
     CustomLog /srv/www/storiesofpetsbypetsforpets.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.storiesofpetsbypetsforpets.com [OR]
RewriteCond %{SERVER_NAME} =storiesofpetsbypetsforpets.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName keligo.com
    ServerAlias www.keligo.com
    DocumentRoot /srv/www/keligo.com/public_html/
    ErrorLog /srv/www/keligo.com/logs/error.log
    CustomLog /srv/www/keligo.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =keligo.com [OR]
RewriteCond %{SERVER_NAME} =www.keligo.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName packetstacks.com
    ServerAlias www.packetstacks.com
    DocumentRoot /srv/www/packetstacks.com/public_html/
    ErrorLog /srv/www/packetstacks.com/logs/error.log
    CustomLog /srv/www/packetstacks.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =packetstacks.com [OR]
RewriteCond %{SERVER_NAME} =www.packetstacks.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
And here's the commented lines that appeared right after packetstacks.  I also had another block at the very end, for sbr.cloud, which were commented out. At this time, I don't want to deal with sbr.cloud, so I took this moment in time to drop lines for that. So you don't see that here and will not going forward. The final result with have 8 blocks, just 7 until I get womenofaction.club added.

#<VirtualHost *:80>
#    ServerAdmin ken.gorman@me.com
#    ServerName womenofaction.club
#    ServerAlias www.womenofaction.club
#    DocumentRoot /srv/www/womenofaction.club/public_html/
#    ErrorLog /srv/www/womenofaction.club/logs/error.log
#    CustomLog /srv/www/womenofaction.club/logs/access.log combined
#    RewriteEngine on
#RewriteCond %{SERVER_NAME} =womenofaction.club [OR]
#RewriteCond %{SERVER_NAME} =www.womenofaction.club
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Please place 3 backticks before and after the Apache config. Otherwise key items may be lost to formatting. Like:
```
apache config
```

4 Likes

See above; edited to use the backticks. My delay to get back to you was that I actually exceeded the number of edits that are allowed per 24 hour period, or something like that.

I've been reading about CAA records in DNS. I don't have them for any of my domains. Necessary? If this is relevant, I'm seeking SSL, not TSL certificates.

The most recent VirtualHost for womenofaction.club is missing a commented out line with an ending </VirtualHost>.

No, not necessary.

3 Likes

They are the same thing.
SSL = old name
TLS = new name [not TSL]

2 Likes

I made that mistake earlier. But as it stands right now, I completely removed the commented VirtualHost for womenofaction.club, preparing to add womenofaction.club to the certificate believing that will result in vhost.conf being automatically modified to include the VirtualHost "stanza" (is that what it's called?). I am trying to act like I'm just starting this process, i.e., a fresh start, such that the "residue" of my previous actions is not laying around and possibly trigger some kind of an error condition.

You need to create the HTTP vhost.
certbot can use that to create the HTTPS vhost for you.

3 Likes

Well, well, that's "interesting". So that means the process to get a certificate for a site means, duh, first have the site in vhost.conf as HTTP. That seems so very obvious that I embarrassed to have this thread. Don't tell anyone. I'm gonna change my name.

By extension, that means I can have other vhost.conf stanzas for HTTP sites that are not commented out, anticipating I will seek to get the cert at some point. The cert process will not care because I would not have included them in the sudo certbot --expand command. I don't know if that's useful in any way, but just good to know ... I guess.:face_with_diagonal_mouth:

1 Like

Yes, absolutely true.

Further,
Instead of having each VirtualHost in the same .conf file they can also be in separate files. Example, you could have a womenclub.conf file with just your HTTP VHost. Certbot Apache plug-in will make a womenclub-le-ssl.conf file based on that and the needed SSL config. Your Include in your main http conf file will pick them all up.

And, it can even have its own cert. No need to keep them all bundled together. In fact, sometimes that is easier. You just run certbot with only that domain name. It creates a renewal conf file for it which the certbot renew will see and renew when needed.

If this all sounds confusing just make a note for later :slight_smile:

2 Likes

A post was split to a new topic: How to secure openresty site

This is sometimes due to running apachectl as a regular user instead of as root. If you run it as root, it should be able to read the certificate file, if it exists.

3 Likes